CVE & CISA-KEV Catalog

CVE-2025-21634

MEDIUM
5.5
CVSS v3
NVD

Description

In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: remove kernfs active break A warning was found: WARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828 CPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G RIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0 RSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202 RAX: 0000000080000002 RBX: ffff888154738c00 RCX: dffffc0000000000 RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffff888154738c04 RBP: ffff888154738c04 R08: ffffffffaf27fa15 R09: ffffed102a8e7180 R10: ffff888154738c07 R11: 0000000000000000 R12: ffff888154738c08 R13: ffff888750f8c000 R14: ffff888750f8c0e8 R15: ffff888154738ca0 FS: 00007f84cd0be740(0000) GS:ffff8887ddc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555f9fbe00c8 CR3: 0000000153eec001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kernfs_drain+0x15e/0x2f0 __kernfs_remove+0x165/0x300 kernfs_remove_by_name_ns+0x7b/0xc0 cgroup_rm_file+0x154/0x1c0 cgroup_addrm_files+0x1c2/0x1f0 css_clear_dir+0x77/0x110 kill_css+0x4c/0x1b0 cgroup_destroy_locked+0x194/0x380 cgroup_rmdir+0x2a/0x140 It can be explained by: rmdir echo 1 > cpuset.cpus kernfs_fop_write_iter // active=0 cgroup_rm_file kernfs_remove_by_name_ns kernfs_get_active // active=1 __kernfs_remove // active=0x80000002 kernfs_drain cpuset_write_resmask wait_event //waiting (active == 0x80000001) kernfs_break_active_protection // active = 0x80000001 // continue kernfs_unbreak_active_protection // active = 0x80000002 ... kernfs_should_drain_open_files // warning occurs kernfs_put_active This warning is caused by 'kernfs_break_active_protection' when it is writing to cpuset.cpus, and the cgroup is removed concurrently. The commit 3a5a6d0c2b03 ("cpuset: don't nest cgroup_mutex inside get_online_cpus()") made cpuset_hotplug_workfn asynchronous, This change involves calling flush_work(), which can create a multiple processes circular locking dependency that involve cgroup_mutex, potentially leading to a deadlock. To avoid deadlock. the commit 76bb5ab8f6e3 ("cpuset: break kernfs active protection in cpuset_write_resmask()") added 'kernfs_break_active_protection' in the cpuset_write_resmask. This could lead to this warning. After the commit 2125c0034c5d ("cgroup/cpuset: Make cpuset hotplug processing synchronous"), the cpuset_write_resmask no longer needs to wait the hotplug to finish, which means that concurrent hotplug and cpuset operations are no longer possible. Therefore, the deadlock doesn't exist anymore and it does not have to 'break active protection' now. To fix this warning, just remove kernfs_break_active_protection operation in the 'cpuset_write_resmask'.

How to fix

Remediation Available
linuxDebian
Fixed in:6.12.10-1CVE-2025-21634
Fixed in:6.12.10-1CVE-2025-21634
linuxUbuntu
Fixed in:6.8.0-60.63USN-7513-1
linux-awsUbuntu
Fixed in:6.8.0-1029.31USN-7513-1
linux-aws-6.8Ubuntu
Fixed in:6.8.0-1029.31~22.04.1USN-7513-1
linux-azureUbuntu
Fixed in:6.8.0-1029.34USN-7513-3
linux-azure-6.8Ubuntu
Fixed in:6.8.0-1029.34~22.04.1USN-7513-3
linux-azure-nvidiaUbuntu
Fixed in:6.8.0-1016.17USN-7522-1
linux-gcpUbuntu
Fixed in:6.8.0-1030.32USN-7515-2
linux-gcp-6.8Ubuntu
Fixed in:6.8.0-1030.32~22.04.1USN-7515-2
linux-gkeUbuntu
Fixed in:6.8.0-1025.29USN-7515-1
linux-gkeopUbuntu
Fixed in:6.8.0-1012.14USN-7515-2
linux-hwe-6.11Ubuntu
Fixed in:6.11.0-21.21~24.04.1USN-7379-1
linux-hwe-6.8Ubuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-ibmUbuntu
Fixed in:6.8.0-1026.26USN-7513-1
linux-image-6.11.0-1011-lowlatencyUbuntu
Fixed in:6.11.0-1011.12~24.04.1USN-7381-1
linux-image-6.11.0-1011-lowlatency-64kUbuntu
Fixed in:6.11.0-1011.12~24.04.1USN-7381-1
linux-image-6.11.0-1017-oemUbuntu
Fixed in:6.11.0-1017.17USN-7382-1
linux-image-6.11.0-21-genericUbuntu
Fixed in:6.11.0-21.21~24.04.1+1USN-7379-1
linux-image-6.11.0-21-generic-64kUbuntu
Fixed in:6.11.0-21.21~24.04.1+1USN-7379-1
linux-image-6.8.0-1012-gkeopUbuntu
Fixed in:6.8.0-1012.14USN-7515-2
linux-image-6.8.0-1016-azure-nvidiaUbuntu
Fixed in:6.8.0-1016.17USN-7522-1
linux-image-6.8.0-1025-gkeUbuntu
Fixed in:6.8.0-1025.29USN-7515-1
linux-image-6.8.0-1026-ibmUbuntu
Fixed in:6.8.0-1026.26USN-7513-1
linux-image-6.8.0-1026-oracleUbuntu
Fixed in:6.8.0-1026.27~22.04.1USN-7513-5
Fixed in:6.8.0-1026.27USN-7513-1
linux-image-6.8.0-1026-oracle-64kUbuntu
Fixed in:6.8.0-1026.27~22.04.1USN-7513-5
Fixed in:6.8.0-1026.27USN-7513-1
linux-image-6.8.0-1028-nvidiaUbuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
Fixed in:6.8.0-1028.31USN-7514-1
linux-image-6.8.0-1028-nvidia-64kUbuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
Fixed in:6.8.0-1028.31USN-7514-1
linux-image-6.8.0-1028-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1028.31.1USN-7514-1
linux-image-6.8.0-1028-nvidia-lowlatency-64kUbuntu
Fixed in:6.8.0-1028.31.1USN-7514-1
linux-image-6.8.0-1028-oemUbuntu
Fixed in:6.8.0-1028.28USN-7513-3
linux-image-6.8.0-1028-raspiUbuntu
Fixed in:6.8.0-1028.32USN-7524-1
linux-image-6.8.0-1029-awsUbuntu
Fixed in:6.8.0-1029.31~22.04.1USN-7513-1
Fixed in:6.8.0-1029.31USN-7513-1
linux-image-6.8.0-1029-azureUbuntu
Fixed in:6.8.0-1029.34~22.04.1USN-7513-3
Fixed in:6.8.0-1029.34USN-7513-3
linux-image-6.8.0-1029-azure-fdeUbuntu
Fixed in:6.8.0-1029.34~22.04.1USN-7513-3
Fixed in:6.8.0-1029.34USN-7513-3
linux-image-6.8.0-1030-gcpUbuntu
Fixed in:6.8.0-1030.32~22.04.1USN-7515-2
Fixed in:6.8.0-1030.32USN-7515-2
linux-image-6.8.0-1030-gcp-64kUbuntu
Fixed in:6.8.0-1030.32~22.04.1USN-7515-2
Fixed in:6.8.0-1030.32USN-7515-2
linux-image-6.8.0-2023-raspi-realtimeUbuntu
Fixed in:6.8.0-2023.24USN-7523-1
linux-image-6.8.0-60-genericUbuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
Fixed in:6.8.0-60.63USN-7513-1
linux-image-6.8.0-60-generic-64kUbuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
Fixed in:6.8.0-60.63USN-7513-1
linux-image-6.8.0-60-lowlatencyUbuntu
Fixed in:6.8.0-60.63.1~22.04.1USN-7513-1
Fixed in:6.8.0-60.63.1USN-7513-1
linux-image-6.8.0-60-lowlatency-64kUbuntu
Fixed in:6.8.0-60.63.1~22.04.1USN-7513-1
Fixed in:6.8.0-60.63.1USN-7513-1
linux-image-6.8.1-1022-realtimeUbuntu
Fixed in:6.8.1-1022.23USN-7513-2
linux-image-awsUbuntu
Fixed in:6.8.0-1029.31~22.04.1USN-7513-1
Fixed in:6.8.0-1029.31USN-7513-1
linux-image-aws-lts-24.04Ubuntu
Fixed in:6.8.0-1029.31USN-7513-1
linux-image-azureUbuntu
Fixed in:6.8.0-1029.34~22.04.1USN-7513-3
linux-image-azure-fdeUbuntu
Fixed in:6.8.0-1029.34~22.04.1USN-7513-3
linux-image-azure-fde-lts-24.04Ubuntu
Fixed in:6.8.0-1029.34USN-7513-3
linux-image-azure-lts-24.04Ubuntu
Fixed in:6.8.0-1029.34USN-7513-3
linux-image-azure-nvidiaUbuntu
Fixed in:6.8.0-1016.17USN-7522-1
linux-image-gcpUbuntu
Fixed in:6.8.0-1030.32~22.04.1USN-7515-2
linux-image-gcp-64kUbuntu
Fixed in:6.8.0-1030.32~22.04.1USN-7515-2
linux-image-gcp-64k-lts-24.04Ubuntu
Fixed in:6.8.0-1030.32USN-7515-2
linux-image-gcp-lts-24.04Ubuntu
Fixed in:6.8.0-1030.32USN-7515-2
linux-image-genericUbuntu
Fixed in:6.8.0-60.63USN-7513-1
linux-image-generic-64kUbuntu
Fixed in:6.8.0-60.63USN-7513-1
linux-image-generic-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-generic-64k-hwe-24.04Ubuntu
Fixed in:6.11.0-21.21~24.04.1USN-7379-1
linux-image-generic-hwe-22.04Ubuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-generic-hwe-24.04Ubuntu
Fixed in:6.11.0-21.21~24.04.1USN-7379-1
linux-image-generic-lpaeUbuntu
Fixed in:6.8.0-60.63USN-7513-1
linux-image-gkeUbuntu
Fixed in:6.8.0-1025.29USN-7515-1
linux-image-gkeopUbuntu
Fixed in:6.8.0-1012.14USN-7515-2
linux-image-gkeop-6.8Ubuntu
Fixed in:6.8.0-1012.14USN-7515-2
linux-image-ibmUbuntu
Fixed in:6.8.0-1026.26USN-7513-1
linux-image-ibm-classicUbuntu
Fixed in:6.8.0-1026.26USN-7513-1
linux-image-ibm-lts-24.04Ubuntu
Fixed in:6.8.0-1026.26USN-7513-1
linux-image-kvmUbuntu
Fixed in:6.8.0-60.63USN-7513-1
linux-image-lowlatencyUbuntu
Fixed in:6.8.0-60.63.1USN-7513-1
linux-image-lowlatency-64kUbuntu
Fixed in:6.8.0-60.63.1USN-7513-1
linux-image-lowlatency-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-60.63.1~22.04.1USN-7513-1
linux-image-lowlatency-64k-hwe-24.04Ubuntu
Fixed in:6.11.0-1011.12~24.04.1USN-7381-1
linux-image-lowlatency-hwe-22.04Ubuntu
Fixed in:6.8.0-60.63.1~22.04.1USN-7513-1
linux-image-lowlatency-hwe-24.04Ubuntu
Fixed in:6.11.0-1011.12~24.04.1USN-7381-1
linux-image-nvidiaUbuntu
Fixed in:6.8.0-1028.31USN-7514-1
linux-image-nvidia-6.8Ubuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
linux-image-nvidia-64kUbuntu
Fixed in:6.8.0-1028.31USN-7514-1
linux-image-nvidia-64k-6.8Ubuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
linux-image-nvidia-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
linux-image-nvidia-hwe-22.04Ubuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
linux-image-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1028.31.1USN-7514-1
linux-image-nvidia-lowlatency-64kUbuntu
Fixed in:6.8.0-1028.31.1USN-7514-1
linux-image-oem-22.04Ubuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-oem-22.04aUbuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-oem-22.04bUbuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-oem-22.04cUbuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-oem-22.04dUbuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-oem-24.04Ubuntu
Fixed in:6.8.0-1028.28USN-7513-3
linux-image-oem-24.04aUbuntu
Fixed in:6.8.0-1028.28USN-7513-3
linux-image-oem-24.04bUbuntu
Fixed in:6.11.0-1017.17USN-7382-1
linux-image-oracleUbuntu
Fixed in:6.8.0-1026.27~22.04.1USN-7513-5
Fixed in:6.8.0-1026.27USN-7513-1
linux-image-oracle-64kUbuntu
Fixed in:6.8.0-1026.27~22.04.1USN-7513-5
Fixed in:6.8.0-1026.27USN-7513-1
linux-image-oracle-64k-lts-24.04Ubuntu
Fixed in:6.8.0-1026.27USN-7513-1
linux-image-oracle-lts-24.04Ubuntu
Fixed in:6.8.0-1026.27USN-7513-1
linux-image-raspiUbuntu
Fixed in:6.8.0-1028.32USN-7524-1
linux-image-raspi-realtimeUbuntu
Fixed in:6.8.0-2023.24USN-7523-1
linux-image-realtimeUbuntu
Fixed in:6.8.1-1022.23USN-7513-2
linux-image-virtualUbuntu
Fixed in:6.8.0-60.63USN-7513-1
linux-image-virtual-hwe-22.04Ubuntu
Fixed in:6.8.0-60.63~22.04.1USN-7513-4
linux-image-virtual-hwe-24.04Ubuntu
Fixed in:6.11.0-21.21~24.04.1USN-7379-1
linux-lowlatencyUbuntu
Fixed in:6.8.0-60.63.1USN-7513-1
linux-lowlatency-hwe-6.11Ubuntu
Fixed in:6.11.0-1011.12~24.04.1USN-7381-1
linux-lowlatency-hwe-6.8Ubuntu
Fixed in:6.8.0-60.63.1~22.04.1USN-7513-1
linux-nvidiaUbuntu
Fixed in:6.8.0-1028.31USN-7514-1
linux-nvidia-6.8Ubuntu
Fixed in:6.8.0-1028.31~22.04.1USN-7514-1
linux-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1028.31.1USN-7514-1
linux-oem-6.11Ubuntu
Fixed in:6.11.0-1017.17USN-7382-1
linux-oem-6.8Ubuntu
Fixed in:6.8.0-1028.28USN-7513-3
linux-oracleUbuntu
Fixed in:6.8.0-1026.27USN-7513-1
linux-oracle-6.8Ubuntu
Fixed in:6.8.0-1026.27~22.04.1USN-7513-5
linux-raspiUbuntu
Fixed in:6.8.0-1028.32USN-7524-1
linux-raspi-realtimeUbuntu
Fixed in:6.8.0-2023.24USN-7523-1
linux-realtimeUbuntu
Fixed in:6.8.1-1022.23USN-7513-2

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityNone
AvailabilityHigh

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploit Intelligence

0.14%probability of exploitation in 30 days
4thpercentile

Low risk: more likely to be exploited than 4% of all known CVEs.

References

Related Vulnerabilities

Other CWE-667 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2019-10072High7.573%-Fix
CVE-2002-1850High7.517%-Fix
CVE-2009-2699High7.514%-Fix
CVE-2004-0174High7.512%--
CVE-2009-4272High7.511%--
CVE-2020-24606High8.65.2%-Fix
Embed a live status badge for CVE-2025-21634
CVE-2025-21634 severity badge

Markdown

[![CVE-2025-21634](https://tridentstack.com/cve/badge/CVE-2025-21634.svg)](https://tridentstack.com/cve/CVE-2025-21634)

HTML

<a href="https://tridentstack.com/cve/CVE-2025-21634"><img src="https://tridentstack.com/cve/badge/CVE-2025-21634.svg" alt="CVE-2025-21634"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-01.